Title: [105750] trunk
- Revision
- 105750
- Author
- [email protected]
- Date
- 2012-01-24 10:33:05 -0800 (Tue, 24 Jan 2012)
Log Message
Crash when accessing removed parent in InlineTextBox.
https://bugs.webkit.org/show_bug.cgi?id=72982
Reviewed by James Robinson.
Source/WebCore:
The crash happens because:
1. We add heading element(h1) before the span element(span1),
causing splitflow on the anonymous block containing BeforeText,
span1(and SpanText) and AfterText.
2. span1 moves to the cloneBlock (continuation).
3. Our anonymous block and cloneBlock are both marked for layout,
however we still have a copy of our lineboxes with its childs
as the textboxes belonging to SpanText.
4. Our anonymous block only child BeforeText is getting removed,
so we dont have any children anymore and we delete our lineboxes,
leaving behind the children textboxes belonging to SpanText.
5. SpanText is getting destroyed, so it tries to inform removed
parent lineboxes causing the crash.
Test: fast/block/block-remove-child-delete-line-box-crash.html
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::removeChild):
LayoutTests:
Tests passes if it does not crash on ASSERT(!m_hasBadParent)
in InlineBox::parent().
* fast/block/block-remove-child-delete-line-box-crash-expected.txt: Added.
* fast/block/block-remove-child-delete-line-box-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (105749 => 105750)
--- trunk/LayoutTests/ChangeLog 2012-01-24 18:28:22 UTC (rev 105749)
+++ trunk/LayoutTests/ChangeLog 2012-01-24 18:33:05 UTC (rev 105750)
@@ -1,3 +1,16 @@
+2012-01-24 Abhishek Arya <[email protected]>
+
+ Crash when accessing removed parent in InlineTextBox.
+ https://bugs.webkit.org/show_bug.cgi?id=72982
+
+ Reviewed by James Robinson.
+
+ Tests passes if it does not crash on ASSERT(!m_hasBadParent)
+ in InlineBox::parent().
+
+ * fast/block/block-remove-child-delete-line-box-crash-expected.txt: Added.
+ * fast/block/block-remove-child-delete-line-box-crash.html: Added.
+
2012-01-24 Levi Weintraub <[email protected]>
Update Snow Leopard image test expectations
Added: trunk/LayoutTests/fast/block/block-remove-child-delete-line-box-crash-expected.txt (0 => 105750)
--- trunk/LayoutTests/fast/block/block-remove-child-delete-line-box-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/block/block-remove-child-delete-line-box-crash-expected.txt 2012-01-24 18:33:05 UTC (rev 105750)
@@ -0,0 +1,5 @@
+BeforeText
+heading
+
+SpanTextAfterText
+ParaText
Added: trunk/LayoutTests/fast/block/block-remove-child-delete-line-box-crash.html (0 => 105750)
--- trunk/LayoutTests/fast/block/block-remove-child-delete-line-box-crash.html (rev 0)
+++ trunk/LayoutTests/fast/block/block-remove-child-delete-line-box-crash.html 2012-01-24 18:33:05 UTC (rev 105750)
@@ -0,0 +1,23 @@
+<html>
+<style>
+div { -webkit-column-count:2; }
+h1 { -webkit-column-span: all; }
+</style>
+<body>
+<summary>
+<div id="div1">
+BeforeText<span id="span1">SpanText</span>AfterText
+<p>ParaText</p>
+</div>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+document.body.offsetTop;
+var h1 = document.createElement('h1');
+h1.appendChild(document.createTextNode('heading'));
+div1.insertBefore(h1, span1);
+</script>
+</summary>
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (105749 => 105750)
--- trunk/Source/WebCore/ChangeLog 2012-01-24 18:28:22 UTC (rev 105749)
+++ trunk/Source/WebCore/ChangeLog 2012-01-24 18:33:05 UTC (rev 105750)
@@ -1,3 +1,29 @@
+2012-01-24 Abhishek Arya <[email protected]>
+
+ Crash when accessing removed parent in InlineTextBox.
+ https://bugs.webkit.org/show_bug.cgi?id=72982
+
+ Reviewed by James Robinson.
+
+ The crash happens because:
+ 1. We add heading element(h1) before the span element(span1),
+ causing splitflow on the anonymous block containing BeforeText,
+ span1(and SpanText) and AfterText.
+ 2. span1 moves to the cloneBlock (continuation).
+ 3. Our anonymous block and cloneBlock are both marked for layout,
+ however we still have a copy of our lineboxes with its childs
+ as the textboxes belonging to SpanText.
+ 4. Our anonymous block only child BeforeText is getting removed,
+ so we dont have any children anymore and we delete our lineboxes,
+ leaving behind the children textboxes belonging to SpanText.
+ 5. SpanText is getting destroyed, so it tries to inform removed
+ parent lineboxes causing the crash.
+
+ Test: fast/block/block-remove-child-delete-line-box-crash.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::removeChild):
+
2012-01-24 Mario Sanchez Prada <[email protected]>
[GTK] Refactor GTK's accessibilitity code to be more modular
Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (105749 => 105750)
--- trunk/Source/WebCore/rendering/RenderBlock.cpp 2012-01-24 18:28:22 UTC (rev 105749)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp 2012-01-24 18:33:05 UTC (rev 105750)
@@ -1091,7 +1091,7 @@
if (!firstChild() && !documentBeingDestroyed()) {
// If this was our last child be sure to clear out our line boxes.
if (childrenInline())
- lineBoxes()->deleteLineBoxes(renderArena());
+ deleteLineBoxTree();
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
